Small businesses increasingly find themselves targeted in today’s fast-evolving cyberthreat landscape. Better-resourced organizations have become so difficult to penetrate that cybercriminals are looking for softer targets. Unfortunately, this means that regional businesses, medical practices, government agencies, and even school districts are now in attackers’ crosshairs.
The best recourse for small businesses is to adopt a Zero Trust Architecture (ZTA). In this article, we’ll go over some definitions, then explain how small businesses can build realistic plans to establish ZTA in an affordable manner.
What is zero trust in a small business context?
The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) has developed a useful Zero Trust Maturity Model (ZTMM), outlined in this excellent whitepaper. It offers specific guidance for Federal Civilian Executive Branch agencies in implementing zero-trust architecture, but this guidance is also useable by organizations of all shapes and sizes in the private sector.
CISA’s ZTMM is specifically intended to give such government agencies a pathway to compliance with Executive Order 14028 governing cybersecurity. In a nutshell, Executive Order 14028 called the federal government and its various agencies to adopt a zero-trust architecture for optimal security.
But CISA’s model also offers a robust framework that small businesses can follow to improve their cybersecurity postures. This framework is based on five pillars across the organization, each of which can be measured in terms of four maturity stages.
The 5 pillars of zero trust for small businesses
CISA’s model defines five pillars of zero trust:
- Identity
- Devices
- Networks
- Applications and workloads
- Data
Through gradual implementation and improvement, small businesses can incorporate zero-trust principles for each of these pillars.
The 4 maturity stages of zero trust for small businesses
CISA’s Zero Trust Maturity Model defines four stages of maturity:
- Traditional—Security policies and enforcement are siloed by pillar, with no integration across pillars. Everything security-related must be manually configured and assigned, and every lifecycle has to be managed by hand. There is no aggregated visibility into the organization’s security posture across the five pillars.
- Initial—The organization has begun break down siloes with cross-pillar security policies and enforcement, although integration is not comprehensive. Some system and attribute control is now automated, but this approach is the exception, not the norm. The organization has achieved some aggregated visibility for the security posture of its assets.
- Advanced—Lifecycle and assignment controls are automated wherever possible, with policy enforcement integrated deeply across pillars. The organization has achieved centralized visibility and identity control, and it has established predefined mitigations for specific threat scenarios. Privilege changes are handled based on risk and posture assessments.
- Optimal—Lifecycles and assignment controls are 100% automated, operating just-in-time, with resources automatically reporting their own security posture. Policies exist in a dynamic state driven by automated triggers. Security monitoring and enforcement occurs seamlessly across all five pillars, and the organization has achieved continuous monitoring, centralized visibility, and comprehensive situational awareness.
Top 3 challenges to establishing zero trust
As you can imagine, reaching optimal zero-trust maturity might be a tall order for smaller organizations. Companies typically struggle in three specific areas:
1. People
If you’re a small business, you probably don’t have the necessary skillset on the internal IT team. It’s hard to do a good job with security—especially when IT is so busy responding to tickets for business-critical systems and users.
Zero trust requires a net new layer of effort on top of existing effort, and most small businesses simply can’t support that effort internally.
Hint: This is why successful organizations outsource their zero trust initiatives to an MSSP (managed security service provider). That’s one of our passions here at Corsica Technologies—helping small businesses achieve zero trust architecture.
2. Processes
If an organization isn’t familiar with zero trust, then there’s no one at the helm who can evaluate current systems and processes against zero trust recommendations.
Not only that, but most small organizations don’t know where to begin in their quest to establish zero trust architecture.
In other words, companies struggle with 2 kinds of processes here: 1) auditing existing processes against zero trust, and 2) defining the processes for establishing zero trust.
3. Technology
Unfortunately, most smaller organizations use legacy technology that was designed before the zero trust revolution. These technologies either don’t support zero-trust principles, or they would require significant reconfigurations to incorporate such principles.
In addition, zero trust architecture requires net-new technologies that legacy organizations haven’t adopted. Things like threat detection across the five pillars, policy enforcement, and monitoring might all require net-new safeguards. Unless the organization has cybersecurity experts in house, it’s very difficult to know what you don’t know. You need an expert advisor here.
Additional challenges to establishing zero trust
No magic bullet
Simply put, there’s no magic bullet for cybersecurity. An organization can’t just buy one piece of equipment or a new software application and instantly establish a zero trust architecture—let alone keep it secure for years to come. Rather, zero trust is a journey and a collection of systems and policies.
Expensive if done in-house
Given all the systems, processes, and professional resources required to establish ZTA, it can be quite an expensive undertaking if done in-house. This makes it challenging for smaller organizations to maintain the security they need, given their staffing resources.
Mission creep
If you’re a smaller organization, you didn’t get into the business to manage IT and cybersecurity. You got into it to do the things your company excels at. A zero-trust initiative could easily create a significant distraction from your essential mission if you try to execute it in-house. The more you can focus on the things you’re skilled at, the more you’ll maximize your organization’s impact.
Zero trust is not “set it and forget it”
Unfortunately, it’s not enough to go through one cycle of effort in establishing zero trust. The path from traditional to optimal, or even just to advanced maturity, can take twists and turns.
As CISA’s whitepaper explains, “The path to zero trust is an incremental process that may take years to implement.”
While that might sound intimidating model for small businesses, the key is to engage an expert partner who can 1) define a feasible path forward, 2) implement or assist in implementation, and 3) continuously evolve the path to stay abreast of new threats and best practices in cybersecurity.
Hint: That’s what we’re all about here at Corsica Technologies.
The path to zero trust for small businesses
Simply put, smaller organizations often lack the resources to succeed with zero trust. However, they need ZTA just as much as larger companies.
The path forward is to engage an expert partner who 1) knows the struggles of small businesses, and 2) knows ZTA from top to bottom.
Here at Corsica Technologies, our team is ideally equipped to audit your existing systems and processes and devise an achievable roadmap for your organization’s zero trust architecture. Get in touch with us today to learn more.
